From fc0cbbd2af2f98d10e740d6ff7ce9f1888dec222 Mon Sep 17 00:00:00 2001
From: Matthew Fennell <matthew@fennell.dev>
Date: Sun, 10 Aug 2025 19:13:10 +0100
Subject: Set pipefail when retrieving DANE hash

This is now enforced by ansible-lint.
---
 playbook.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/playbook.yaml b/playbook.yaml
index 45e7ac0..5399fd2 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -54,9 +54,10 @@
    - name: Retrieve DANE hash
      ansible.builtin.shell:
       cmd: >
-       openssl x509 -in ~/.lego/certificates/{{ virtual_host }}.crt -noout
-       -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256
-       -binary | hexdump -ve '/1 "%02x"'
+       set -o pipefail && openssl x509 -in
+       ~/.lego/certificates/{{ virtual_host }}.crt -noout -pubkey | openssl
+       pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve
+       '/1 "%02x"'
      register: dane_hash
      changed_when: false
      delegate_to: localhost
-- 
cgit v1.2.3